2018 GNYADA Membership Directory

4. Consider implementing a strict data “push” system for sharing data This means that you need to understand what data a service provider needs to provide the service, gather it internally from your systems (or through a vendor), and send it to the appropriate service providers in a secure manner. You would no longer allow vendors to access your systems directly for any reason. This approach allows you to have control over what data is shared, prevents concerns regarding the scope of access, and provides a documented audit trail of all data you have shared. Note that it is possible that a push system could affect the functionality of some services. However, carefully consider claims by vendors that they“need”“real- time”access. In many cases, regularly “pushed”data will be more than adequate. 5. Understand and control remote access issues Mobile devices raise tremendous data access and data breach concerns. You should take steps to limit remote access and control the devices that provide access. Work with your counsel and DMS and other vendors to address the policy, security, and business implications of mobile device access. Consider the implications of remote access from employees“home”computers. Enact policies to control data access, copying, and sharing. 6. Understand data flow to your manufacturer(s) You may not share certain protected data – even with your manufacturer – unless an exception to the Privacy Rule applies. This is a complicated area that depends highly on the facts and circumstances. If your manufacturer seeks to obtain NPI, get written confirmation that it is pursuant to an exception to the Privacy Rule. 7. Understand “P2P” (“Peer-to-Peer”) networks and enact a “P2P” policy Have a policy, train your employees, and consider prohibiting access to P2P sites. Go here for more information: business.ftc.gov/documents/bus46-peer-peer-file-sharing-guide-business .

145 2 0 1 8 MEMBERSHIP DIRECTORY Hot TOPICS